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SPECIFICATION 

TITLE OF THE INVENTION 

Computer System Having Failure Recovery Function, And 
Failure Recovery Method Thereof 

BACKGROUND OF THE INVENTION 

The present invention relates to a computer system having 
a failure recovery function, and more particularly to a computer 
system having a failure recovery function which is suitable for 
a disaster recovery system that achieves data integrity at the 
time of a disaster by remote -copying the data between storage 
device subsystems. 

For the purposes of handling a larger scale system and 
achieving the higher security of data, a system configuration 
constituted of two data centers (that is to say, a site where 
usual operation is performed and a backup site) has been 
generally used {hereinafter this configuration is referred to 
as "2DC configuration"). 

As a disaster recovery system having such a configuration , 
for example, the technology disclosed in the EMC's home page 
( ht tp : / / j apan . emc . com/ local / j a/ JP /product s /product^df s / srd 
f/srdf .pdf) is known. 

Here, instead of the 2DC configuration constituted of 
two data centers, that is to say, the site where operation is 



performed and the backup site, a disaster recovery system having 
a configuration constituted of three data centers will be 
reviewed (hereinafter this configuration is referred to as "3DC 
configuration") . In the description below, a site where usual 
operation is performed is called "production site" ; a site which 
is closed to the production site is called "local site"; and 
a site which is far from the production site is called "remote 
site" . 

In this disaster recovery system having the 3DC 
configuration, a storage volume of the production site is 
remote-copied to a storage volume of the local site, and then 
the storage volume of the local site is remote-copied to a 
storage volume of the remote site. This is how data is 
transferred. At this time, a disaster recovery management 
program (hereinafter referred to as "disaster recovery 
management program P" ) which operates in a host of the production 
site controls the above-mentioned series of remote copies. 

Incidentally, the conventional remote copy technology 
has the following problem: if the production site where the usual 
operation is performed suffers from a disaster, management 
information required for the execution of disaster recovery, 
which is managed by a disaster recovery management program 
operating on a host of the production site, cannot be transferred 
to the other local and remote sites, and therefore data cannot 
be quickly recovered at the time of the disaster. 



The present Invention has been devised to solve the 
above-mentioned problem. An object of the present Invention 
is to provide a computer system having a failure recovery- 
function. In which If a production site where usual operation 
5 Is performed suffers from a disaster, a disaster recovery 
management program Is executed from another site In which no 
failure occurs , and thereby the remote copy Is restarted to 
quickly recover data at the time of the disaster. 

10 SUMMARY OF THE INVENTION 

According to the present invention, a copy state is 
written to a copy management table in a production site every 
time a remote copy is executed. In addition, the copy management 
table including the copy state is also kept in each of the other 

15 sites . These copy states kept in the other sites are then 
updated in synchronization with the copy state in the production 
site. 

If the production site suffers from a disaster, a disaster 
recovery management program which operates in a host of a remote 
20 site (hereinafter referred to as "disaster recovery management 
program R") refers to a copy management table in a site where 
no disaster occurs, and then restarts copy processing from a 
point at which the copy processing has been stopped by the 
disaster. 

25 As a result , the newest data immediately before the usual 



operation site has suffered from the disaster Is copied to 
another operatable site. Accordingly, by use of this data, 
starting in this operatable site an application progreun which 
operated in the usual operation site makes it possible to restart 
the operation. 

In the above-mentioned example, the disaster recovery 
system having the 3DC configuration constituted of three data 
centers was described. However, the present invention can also 
be applied in a similar manner to a disaster recovery system 
including four data centers or more. 

Thus, according to the present invention, when the 
production site where the usual operation is performed suffers 
from a disaster, it is possible to quickly recover data at the 
time of the disaster by executing a disaster recovery management 
program from a site in which no failure occurs, and then by 
restarting remote copy. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a configuration diagram illustrating a computer 
system having a failure recovery function according to the 
present invention; 

Fig. 2 is a diagram Illustrating contents stored in a 
disk unit 108a of a host la Included in a production site 3; 

Fig. 3 is a diagram illustrating contents stored in a 
disk unit 108c of a host Ic included in a remote site 5; 
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Fig. 4 is a detailed diagram illustrating contents stored 
in a control memory 203; 

Fig. 5 is a diagram illustrating contents stored in a 
disk unit 108d of a management computer 8; 
5 Fig. 6 is a diagram illustrating a configuration of an 

inter- subsystem pair definition table 300 as an example; 

Fig. 7 is a diagram illustrating a configuration of an 
intra-subsystem pair definition table 400 as an example; 

Fig. 8 is a diagram illustrating a configuration of a 
10 volume definition table 500 as an example; 

Fig. 9 is a diagram illustrating contents of a copy 
management table 600 that is stored in a management -information 
storing volume; 

Fig. 10 is a flowchart illustrating processing of a volume 
15 definition program 122; 

Fig. 11 is a flowchart illustrating processing of a 
disaster recovery management program P120; and 

Fig. 12 is a flowchart illustrating processing of a 
disaster recovery management program R121 executed when only 
20 the production site 3 suffers from a disaster. 



DESCRIPTION OF THE PREFFERRED EMBODIMENTS 

Embodiments according to the present invention will be 
described with reference to Figs. 1 through 12 as below. 
25 To begin with, a configuration of a computer system having 
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a failure recovery function according to the present Invention 
will be described with reference to Fig. 1. 

Fig. 1 Is a configuration dlagreim of the computer system 
having the failure recovery function according to the present 
5 Invention. 

This system comprises a host la, a host Ic, a storage 
device subsystem 2a, a storage device subsystem 2b, a storage 
device subsystem 2c, and a management computer 8. These units 
are mutually connected through a network 9. In this system, 

10 both the host la and the storage device subsystem 2a as a whole 
Is called a production site 3; the storage device subsystem 2b 
Is called a local site 4; and both the host Ic and the storage 
device subsystem 2c as a whole Is called a remote site 5. This 
system is based on the assumption that the local site has no 

15 host . This system Is also based on the assumptions that usually 
the production site 3 and the local site 4 are geographically 
near each other (the distance between the sites Is several tens 
kilometers), and that usually the local site 4 and the remote 
site 5 are geographically far each other (the distance between 

20 the sites Is several hundred kilometers) . The production site 
3 is a site where operation is usually executed; and the local 
site 4 and the remote site 5 are sites where the production site 
3 is backed up. As described above, this embodiment describes 
the case where there are three sites. The present invention, 

25 however, can also be applied in a similar manner to a case where 



there are four sites or more. 

The host 1 and the management computer 8 are computers, 
each of which comprises a CPU 101, a memory 102, a display 103, 
a keyboard 104, a controller 105, a data Interface 106 , a network 
5 interface 107, and a disk unit 108. 

The storage device subsystem 2 is a storage device for 
storing data, and comprises a port 201, a disk controller 202, 
a control memory 203, a processor 204, a cache memory 205, and 
a disk unit 211. 

10 The disk units 108 and 211 are logical storage devices. 

In actuality, a plurality of physical storage devices may also 
constitute one logical storage device. In this case, a 
plurality of physical storage devices may also constitute a disk 
array. Here, the physical storage device is a physical storage 

15 device such as a hard disk drive and a DVD. 

An example of how a remote copy operates in this system 
will be described. Data of a disk unit 211a in the primary site 
3 is remote-copied to a disk unit 211b in the local site 4 . Data 
of the disk unit 211b is copied to a disk unit 211c in the same 

20 local site; and data of the disk unit 211c is remote-copied to 
a disk unit 211d in the remote site. Data of the disk unit 211d 
is copied to a disk unit 211e in the same remote site. In this 
manner, data of the production site 3 used for usual operation 
is successively copied to the local site 4 and the remote site 

25 5. 
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Next, how In this system a program and data are stored 
in both a memory and a disk unit will be described with reference 
to Figs . 2 through 5 . 

Fig. 2 is a diagram illustrating contents stored in a 
5 disk unit 108a of the host la in the production site 3. 

Fig. 3 is a diagram illustrating contents stored in a 
disk unit 108c of the host Ic in the remote site 5. 

Fig. 4 is a detailed diagram illustrating contents stored 
in the control memory 203. 
10 Fig. 5 is a diagram illustrating contents stored in a 

disk unit 108d of the management computer 8. 

As shown in Fig . 2 , a disaster recovery management program 
P120 is stored in the disk unit 108a. This program is read into 
a memory 102a, and is then executed by a CPU 101a. The disaster 
15 recovery management program P120 controls a remote copy from 
the production site 3 to the remote site 5 through the local 
site 4. 

As shown in Fig . 3 , a disaster recovery management program 
P121 is stored in the disk unit 108c. The disaster recovery 

20 management program R121 is read into a memory 102c, and is then 
executed by a CPU 101c. If the production site 3 suffers from 
a disaster, or if both the production site 3 and the local site 
4 suffer from a disaster, the disaster recovery management 
program R121 executes recovery processing. 

25 As shown in Fig. 4, an inter-subsystem pair definition 
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table 300, an Intra- subsystem pair definition table 400, and 
a voliame definition table 500 are stored in the control memory 
203. These tables will be described in detail later. 

As shown in Fig. 5, a volume definition program 122 is 
5 stored in the disk unit 108d. The volume definition program 
122 is read into a memory 102d, and is then executed by a CPU 
lOld. The volume definition program 122 will be described in 
detail later. 

Next, data structures of tables used in this system will 
10 be described with reference to Figs • 6 through 9 . 

Fig. 6 is a diagram illustrating a configuration of the 
inter- subsystem pair definition table 300 as an example. 

Fig. 7 is a diagram illustrating a configuration of the 
intra-subsystem pair definition table 400 as an example. 
15 Fig. 8 is a diagram illustrating a configuration of the 

volume definition table 500 as an example. 

Fig. 9 is a diagram illustrating contents of a copy 
management table 600 that is stored in a management -information 
storing volume. 

20 The inter- subsystem pair definition table 300 is stored 

in the control memory 203 of the storage device subsystem 2. 
As shown in Fig. 6, the inter- subsystem pair definition table 
300 comprises a group name field 301, a pair name field 302, 
a main port field 303, a main logical unit field 304, a sub port 

25 field 305, a sub logical unit field 306, and a state field 307. 
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As shown In Fig. 6, the group name field 301 Is a field 
to which a name of a group formed of associated pairs Is written. 
The pair name field 302 is a field to which a name of an associated 
pair Is written. The main port field 303 is a field to which 
5 information on a port of a storage device subsystem in a main 
site constituting one of the associated pair is written. The 
main logical unit field 304 is a field to which a logical unit 
name of the storage device subsystem in the main site 
constituting one of the associated pair is written. The sub 

10 port field 305 is a field to which information on a port of a 
storage device subsystem in a sub site constituting the other 
of the associated pair is written. The sub logical unit field 
306 is a field to which a logical unit name of the storage device 
subsystem in the sub site constituting the other of the 

15 associated pair is written. The state field 307 is a field to 
which information indicating a state of the associated pair is 
written. 

Here, a logical unit (hereinafter referred to as LU) is 
a unit by which a storage area formed of the disk unit 211 is 

20 managed. In addition, a volume is uniquely identified by a 
combination of a port name of a port used to access a LU and 
a LU name of the LU forming the volume. Therefore, a volume 
is expressed hereinafter by use of a port name and a LU name 
(port name, LU name). It is to be noted that although one LU 

25 corresponds to one volume in this embodiment, a plurality of 
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LUs may also constitute one volume. 

The example In Fig. 6 Illustrates Inter- subsystem pairs 
in the configuration shown in Fig. 1. A record 310a has a pair 
PI belonging to a group Gl. In this case, the following are 
5 shown: a volxime of a main site forming the PI is a volume (port 
201b, LUO); a volume of a sub site forming the PI is a volume 
(port 201d, LUO); and a state is ACTIVE. Here, the ACTIVE 
indicates that data replication processing between the pair 
shown in the record 310a (more specifically, synchronization 

10 of data contents in the main site with those in the sub site) 
is being performed. 

Next, the intra- subsystem pair definition table 400 is 
stored in the control memory 203 of the storage device subsystem 
2. As shown in Fig . 7, the intra- subsystem pair definition table 

15 400 comprises a pair name field 402, a main logical unit field 
403, a sub logical unit field 404, and a state field 405. 

The pair name field 402 is a field to which a name of 
an associated pair is written. The main logical unit field 403 
is a field to which a name of a main logical unit forming one 

20 of the associated pair is written. The sub logical unit field 

404 is a field to which a name of a sub logical unit forming 
the other of the associated pair is written. The state field 

405 is a field to which information indicating a state of the 
associated pair is written. 

25 The example in Fig. 7 illustrates intra-subsystem pairs 
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in the configuration shown in Fig. 1. An intra- subsystem pair 
definition table 400b is stored in a control memory 203b; and 
an intra-subsystem pair definition table 400c is stored in a 
control memory 203c. The record 410a has a pair PIO. In this 
6 case, a main volume constituting one of the PIO is a volume (port 
201d, LUO); a sub volume constituting the other of the PIO is 
a volume (port 201d, LUl); and a state is ACTIVE. 

Here, the ACTIVE indicates that data replication 
processing between the pair shown in the record 410a (more 
10 specifically, synchronization of data contents in the main 
logical unit with those in the sub logical unit) is being 
performed. 

Next, the volume definition table 500 is stored in the 
control memory 203 of the storage device subsystem 2. As shown 

15 in Fig. 8, the volume definition table 500 comprises a port field 
501, a LU field 502, a drive field 503, a size field 504, and 
a management -information storing field 505. 

The port field 501 is a field to which information on 
a port for identifying a volume is written. The LU field 502 

20 is a field to which information on a LU constituting, a part of 
the volume is written. The drive field 503 is a field to which 
information on the disk unit 211 constituting a part of the 
volume is written. The size field 504 is a field to which 
information on the size of the volume is written. The 

25 management -information storing field 505 is a field that 
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Indicates whether or not management information is stored. 

The volume definition table 500 is set beforehand by a 
user using the volume definition program 122. Here, the volume 
definition program 122 is a program that is executed by the 
5 management computer 8 connected to the network 3 . Through the 
management computer 8, the user transmits to the storage device 
subsystem 2 information on a volume to be set in the storage 
device subsystem 2. The storage device subsystem 2 writes the 
transmitted information to the volume management table 500. 

10 The excunple in Fig. 8 shows the volume used in the 

configuration in Fig. 1. A volume definition table 500a is 
stored in a control memory 203a; a volume definition table 500b 
is stored in a control memory 203b; and a volume definition table 
500c is stored in a control memory 203c. A record 510b shows 

15 the following: a volume (port 201b, LUl) is formed of a disk 
unit 211f; the size of the volume is 10 GB (gigabytes); and 
whether or not management information is stored is YES. Here, 
YES indicates that management information is stored. To be more 
specific, YES indicates that this volume is a management - 

20 information storing volume (hereinafter the management- 

information storing volume may also be called a management - 
information storing disk unit). 

Next, a copy management table 600 shown in Fig. 9 is a 
table that stores information for managing states of inter- 

25 subsystem copy and intra- subsystem copy. The copy management 



14 



table 600 Is stored In a file having a predetermlnecL file name. 
The disaster recovery management program PI 20 updates the copy 
management table 600 by overwriting this file in a 
management -information storing disk unit (disk unit 211a) of 
5 the primary site 3 whenever necessary. 

Its contents are then successively transmitted to the 
disk unit 211b, the disk unit 211c, the disk unit 2 lid, and the 
disk unit 211e by use of an inter- subsystem copy function and 
an intra- subsystem copy function. 

10 An executing state and an execution (frozen) state are 

set to a state of an inter- subsystem copy from the storage device 
subsystem 2a to the storage device subsystem 2b. An executing 
state and a disconnected state are set to a state of an 
intra-subsystem copy of the storage device subsystem 2b. An 

15 executing state and an interrupted state are set to a state of 
an inter- subsystem copy from the storage device subsystem 2b 
to the storage device subsystem 2c. An executing state and a 
disconnected state are set to a state of an intra-subsystem copy 
of the storage device subsystem 2c. What is set to the time 

20 stamp 605 is information on the time at which this record is 
written. 

Next, steps of the failure recovery of a computer system 
according to the present invention will be described with 
reference to Figs. 10 through 12. 
25 To begin with, processing of the volume definition 
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program 122 will be described with reference to Fig. 10. 

Fig. 10 is a flowchart illustrating the processing of 
the volume definition program 122. 

When the volume definition program 122 is started (step 
5 1000), a user uses a display 103d and a keyboard 104d to set 
the following information (step 1005): information on the 
storage device subsystem 2 used for volume definition; 
information on a port used for identifying a volume; information 
on a LU constituting a part of the volume; information on the 
10 disk unit 211 constituting a part of the volume; information 
on the size of the volume; and information indicating whether 
or not management information is stored. 

After that, the set definition information is sent to 
the specified storage device subsystem 2 (step 1010), and then 
15 the processing ends (step 1015). In the storage device 

subsystem 2 to which the definition information has been sent, 
the definition information is set to the volume definition table 
500. 

Next, processing of the disaster recovery management 
20 program P120 will be described with reference to Fig. 11. 

Fig. 11 is a flowchart illustrating the processing of 
the disaster recovery management program P120. 

The disaster recovery management program P120 is read 
into the memory 102a, and is then executed by the CPU 101a. The 
25 disaster recovery management program P120 controls a remote copy 



16 

from the production site 3 to the remote site 5 through the local 
site 4. 

What will be described next Is the following control: 
performing an Inter- subsystem copy from the storage device 
5 subsystem 2a to the storage device subsystem 2b; performing an 
Intra- subsystem copy of the storage device subsystem 2b; 
performing an Inter -subsystem copy from the storage device 
subsystem 2b to the storage device subsystem 2c ; and performing 
an Intra- subsystem copy of the storage device subsystem 2c. To 

10 be more specific. In this process, an Inter-subsystem copy Is 
performed from the disk unit 211f , which Is a management- 
Information storing volume, to disk unit 2119; an Intra- 
subsystem copy is performed from the disk unit 2119 to the disk 
unit 211h; an Inter- subsystem copy Is performed from the disk 

15 unit 211h to the disk unit 2111; and an Intra- subsystem copy 
Is performed from the disk unit 2111 to disk unit 211 j. 

Then, an inter- subsystem copy is performed from the disk 
unit 211a, which is not a management -Information storing disk 
unit, to the disk unit 211b; an intra- subsystem copy is performed 

20 from the disk unit 211b to the disk unit 211c; an inter- subsystem 
copy is performed from the disk unit 211c to the disk unit 211d; 
and an intra- subsystem copy is performed from the disk unit 2 lid 
to the disk unit 2 lie. It is to be noted that in the description 
below, by use of a command, the disk controller 202 is instructed 

25 to execute an inter- subsystem copy or an intra- subsystem copy. 



17 



When the disaster recovery management program P120 is 
started (step 1100), the disk controller Is Instructed to 
execute an Inter- subsystem copy from the storage device 
subsystem 2a to the storage device subsystem 2b, and also to 
5 Interrupt the other inter- subsystem copies; and in addition, 
the disk controller is instructed to disconnect an Intra- 
subsystem copy (step 1105). Then, states of the inter- 
subsystem copies and the intra- subsystem copies at this point 
of time (more specifically, the state 601 of the inter- subsystem 

10 copy from the storage device subsystem 2a to the storage device 
subsystem 2b is an executing state; the state 602 of the 
intra- subsystem copy of the storage device subsystem 2b is a 
disconnected state; the state 603 of the inter- subsystem copy 
from the storage device subsystem 2b to the storage device 

15 subsystem 2c is an interrupted state; and the state 604 of the 
intra- subsystem copy of the storage device subsystem 2c is a 
disconnected state) , and the time stamp 605, are set to the copy 
management table 600 (step 1107). 

Next, the disk controller is instructed to resynchronize 

20 the intra- subsystem copy of the storage device subsystem 2b, 
and also to resynchronize the intra- subsystem copy of the 
storage device subsystem 2c (step 1110). Then, states of the 
inter- subsystem copies and the intra- subsystem copies at this 
point of time (more specifically, the state 601 of the 

25 inter- subsystem copy from the storage device subsystem 2a to 
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the storage device subsystem 2b is an executing state; the state 
602 of the intra- subsystem copy of the storage device subsystem 
2b is an executing state; the state 603 of the inter- subsystem 
copy from the storage device subsystem 2b to the storage device 
subsystem 2c is an interrupted state; and the state 604 of the 
intra- subsystem copy of the storage device subsystem 2c is an 
executing state), and the time stamp 605, are set to the copy 
management table 600 (step 1112). 

Next, the disk controller is instructed to freeze the 
execution of the inter- subsystem copy from the storage device 
subsystem 2a to the storage device subsystem 2b. Then, states 
of the inter- subsystem copies and the intra- subsystem copies 
at this point of time (more specifically, the state 601 of the 
inter- subsystem copy from the storage device subsystem 2a to 
the storage device subsystem 2b is an execution (frozen) state; 
the state 602 of the intra- subsystem copy of the storage device 
subsystem 2b is an executing state; the state 603 of the 
inter- subsystem copy from the storage device subsystem 2b to 
the storage device subsystem 2c is an interrupted state; and 
the state 604 of the intra- subsystem copy of the storage device 
subsystem 2c is an executing state), and the time stamp 605, 
are set to the copy management table 600 (step 1117). 

Next, the disk controller is instructed to disconnect 
the intra- subsystem copy of the storage device subsystem 2b, 
and also to disconnect the intra- subsystem copy of the storage 
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device subsystem 2c (step 1120). Then, states of the 
inter- subsystem copies and the Intra- subsystem copies at this 
point of time (more specifically, the state 601 of the 
Inter- subsystem copy from the storage device subsystem 2a to 
5 the storage device subsystem 2b Is an execution (frozen) state; 
the state 602 of the Intra- subsystem copy of the storage device 
subsystem 2b Is a disconnected state; the state 603 of the 
inter- subsystem copy from the storage device subsystem 2b to 
the storage device subsystem 2c Is . an Interrupted state; and 

10 the state 604 of the intra- subsystem copy of the storage device 
subsystem 2c is a disconnected state), and the time stamp 605, 
are set to the copy management table 600 (step 1122). 

After that, the disk controller is Instructed to restart 
the execution of the Inter- subsystem copy from the storage 

15 device subsystem 2a to the storage device subsystem 2b (step 
1125). Then, states of the inter- subsystem copies and the 
intra- subsystem copies at this point of time (more specifically, 
the state 601 of the inter- subsystem copy from the storage device 
subsystem 2a to the storage device subsystem 2b is an executing 

20 state; the state 602 of the intra- subsystem copy of the storage 
device subsystem 2b is a disconnected state; the state 603 of 
the inter- subsystem copy from the storage device subsystem 2b 
to the storage device subsystem 2c is an interrupted state; and 
the state 604 of the intra- subsystem copy of the storage device 

25 subsystem 2c is a disconnected state), and the time stamp 605, 



are set to the copy management table 600 (step 1127). 

Next, the disk controller is instructed to execute the 
resynchronization of the inter- subsystem copy from the storage 
device subsystem 2b to the storage device subsystem 2c (step 
5 1130). Then, states of the inter-subsystem copies and the 
intra- subsystem copies at this point of time (more specifically, 
the state 601 of the inter-subsystem copy from the storage device 
subsystem 2a to the storage device subsystem 2b is an executing 
state; the state 602 of the intra- subsystem copy of the storage 

10 device subsystem 2b is a disconnected state; the state 603 of 
the inter- subsystem copy from the storage device subsystem 2b 
to the storage device subsystem 2c is an executing state; and 
the state 604 of the intra- subsystem copy of the storage device 
subsystem 2c is a disconnected state) , and the time steimp 605, 

15 are set to the copy management table 600 (step 1132). 

Next, the disk controller is instructed to interrupt the 
inter- subsystem copy from the storage device subsystem 2b to 
the storage device subsystem 2c (step 1135). Then, states of 
the inter- subsystem copies and the intra- subsystem copies at 

20 this point of time (more specifically, the state 601 of the 
inter- subsystem copy from the storage device subsystem 2a to 
the storage device subsystem 2b is an executing state; the state 
602 of the intra- subsystem copy of the storage device subsystem 
2b is a disconnected state; the state 603 of the inter -subsystem 

25 copy from the storage device subsystem 2b to the storage device 
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subsystem 2c Is an Interrupted state; and the state 604 of the 
Intra- subsystem copy of the storage device subsystem 2c is a 
disconnected state) , and the time stamp 605, are set to the copy 
management table 600 (step 1137). 
5 This results in the same state as that immediately after 

the execution of the step 1105. Accordingly, the processing 
after the step 1110 is repeatedly executed. As a result of the 
processing described above, contents of both the disk unit 211a 
and the disk unit 21 If in the production site 3 are copied to 

10 the disk unit 2 lie and the disk unit 211 j in the remote site 
5 through the local site 4. 

It is to be noted that when the copy management table 
is updated in the step 1107, 1112, 1117, 1122, 1127, 1132, or 
1137, copy management tables of the other sites are also updated 

15 in synchronization with this updated copy management table. 

The disaster recovery management program R121 is a 
recovery processing program executed when the production site 
3 suffers from a disaster, or when both the production site 3 
and the local site 4 suffer from a disaster. The disaster 

20 recovery management program R121 is read into the memory 102c 
in the remote site 5, and is then executes by the CPUlOlc. 

vniat will be lastly described with reference to Fig. 12 
is processing of the disaster recovery management program P121 
executed when only the production site 3 suffers from a disaster. 

25 Fig. 12 is a flowchart illustrating the processing of 



the disaster recovery management program R121 executed when only 
the production site 3 suffers from a disaster. 

In the first place, the disaster recovery management 
program R121 Is started when a disaster occurs (step 1200) . Copy 
management Infomnatlon 600 Is collected from all of surviving 
disk units for storing management Information, which survive 
after the disaster. After that, each time stamp value of the 
time stamp 605 of the collected copy management tables 600 Is 
checked. Then , on the basis of copy state Information ( the state 
601 of the Inter- subsystem copy from the storage device 
subsystem 2a to the storage device subsystem 2b; the state 602 
of the Intra- subsystem copy of the storage device subsystem 2b; 
the state 603 of the Inter- subsystem copy from the storage device 
subsystem 2b to the storage device subsystem 2c ; and the state 
604 of the Intra- subsystem copy of the storage device subsystem 
2c) In the management table 600 having the newest time stamp 
value, a point to which the flowchart of Fig. 11 has been executed 
is kept track of, and the processing shown in the flowchart of 
Fig. 11 is restarted (step 1220) . Vftien the last copy processing 
is completed, the processing ends (step 1230). As a result, 
data is transferred to the disk unit 2 lie and the disk unit 211 j 
in the remote site 5 . 

If both the production site 3 and the local site 4 suffer 
from a disaster, a surviving site is only the remote site 5. 
Accordingly, the disaster recovery management program R121 
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executes only the processing of the step 1110 In Fig. 11. 

As a result of the above-mentioned processing, the newest 
data immediately before the production site 3 has suffered from 
the disaster has been transferred to the remote site 5. 
5 Therefore, by use of this data, starting in the remote site 5 
an application program which operated in the production site 
3 making it possible to restart the operation. 



